Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

FAQ

Why are the scorecards not active if notable events exist?

If correlation searches are working and creating notable events, but the notable events do not appear on scorecards in the Splunk App for PCI Compliance, check two things.

Potential cause: Notable events could be suppressed by a suppression rule.

  1. Open the Notable Event Suppression Audit page to determine if suppressions are preventing notable events from appearing.
  2. You can also compare the results from these two searches.

    `notable`


    `notable` | search NOT `suppression`

Potential resolution: Review any suppression rules that exist to confirm that they are accurate and should be enabled or disabled.

Potential cause: For custom correlation searches, notable events could exist but not be linked to a governance and control value in governance.conf.

  1. Compare the results from these two searches.

    `notable`


    `notable` | search (`get_governance(pci)`)

Potential resolution: Link the correlation searches to governance.conf entries. See Configure correlation searches.

Cisco add-ons

You can install various Splunk Add-on for Cisco products on the search head with the Splunk App for PCI Compliance and partially disable them to prevent load.

  • To disable the searches, go to Settings > Searches and Reports, select the app name and disable all searches.
  • To disable their dashboards, go to Settings > User Interface > Views, select the app name and disable all views.

This applies to these add-ons:

Last modified on 26 October, 2016
Troubleshoot your deployment  

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters